The rapid adoption of mobile devices by employees—iPhones, iPads, Android smartphones, and other devices—creates new challenges for employers. Many companies have adopted formal policies that permit employees to use their personal mobile devices to create, store, and transmit work-related data. These new policies may turn an employee’s personal device into a “dual use” device used for both personal and company data and activities. This trend is generally referred to as “Bring Your Own Device,” or BYOD.

While these policies may reduce expenses, aid in recruiting new employees, and allow employers to more quickly take advantage of new technologies, having corporate data transferred and stored on employee-owned personal devices creates significant legal challenges.

For example, maintaining and storing data is a highly regulated area. Many states have enacted laws that impose information security obligations on businesses that collect or store Social Security numbers, drivers’ license numbers, credit and debit card numbers, and financial account numbers. Other states impose a general statutory duty on businesses to safeguard personal information.1

Security breach notification laws may have application to employee devices. If an employee’s dual use device is lost, stolen, hacked, or otherwise subject to unauthorized access, the employer will, at a minimum, be required to evaluate whether notification is necessary unless all personal information stored on the compromised dual use device is encrypted.

Legally mandated encryption requirements may require encryption of portable storage media containing personal information.2 The HIPAA Security Rule, moreover, requires that covered entities at least consider whether encryption of personal health information in electronic form is feasible and, if not, to document the basis for that conclusion.3

Many states require the secure destruction of certain types of sensitive information, and regulations promulgated under the Fair Credit Reporting Act require the secure destruction of consumer report information.4

Most confidentiality or non-disclosure agreements and court protective orders obligate parties to securely destroy confidential information obtained from the counterparty. If the records are stored on employee devices or with cloud providers beyond the company’s control, compliance with these obligations can be challenging.

Litigation Holds and Investigations

A BYOD environment implicates a host of e-discovery challenges. A threshold e-discovery obligation, once the duty to preserve is triggered, is to identify and preserve relevant sources of data.5 Under a BYOD model, the employer may have little information about where all of its data is stored. The employer may be left with very little, if any, ability to preserve information from these sources, and may be completely at the mercy of its employees for this information.

An employer’s IT department may not have the expertise to defensibly collect data from the variety of devices used by their employees for purposes of litigation. A corporation may have the internal qualifications and resources to forensically copy hard drives formatted with a Microsoft Windows operating system, but may have difficulty making copies of an iPhone or iPad.6 The ability and method for collecting data on dual use devices may vary greatly depending upon the operating system (OS) (e.g., Apple iOS, Windows Mobile, Android, Palm, etc.).

Fed. R. Civ. P. 34 requires a party to produce responsive documents and electronically stored information in its possession, custody or control. The rule applies equally to preservation.7 Under Rule 34, the term “control” does not require that a party have legal ownership or actual physical possession of the information at issue.8 In Hagerman v. Accenture,9 the U.S. District Court in Minnesota held data that employees stored on a remote server was under the employer’s control if the employees were able to access the information during the normal course of their duties.

In Hatfill v. New York Times,10 plaintiff filed a motion to compel interview notes stored on a non-party reporter’s personal flash drive. The U.S. District Court in the Eastern District of Virginia held that the Times formally ceded to its reporter employees any right to possess or control dissemination of notes and unpublished materials. The policy was reflected in a bargaining agreement, and was found to not have been created for the purpose of avoiding discovery requests. Accordingly, the Times did not have the legal right, over the reporter’s objection, to obtain the flash drive.

When the employer is put on notice of its preservation obligation, notice may be imputed to its employees.11 Under general agency law, an employer may be deemed responsible for the spoliation of relevant evidence done by its employees.12 In contrast, in Nucor Corp. v. Bell,13 the U.S. District Court in South Carolina found that an employee destroyed confidential information on a thumb drive in order to protect his own interests (as opposed to those of his employer). The employee did not consult with his employer prior to his deletion, indicating that he was acting for his own benefit, and not within the scope of his employment.

Trade Secret Information

Prior to BYOD programs, many employers would have disciplined or terminated an employee who brought their own storage devices into the workplace, or who copied company data onto their personal devices. Now, however, these actions may be the intended result of a company BYOD program.

Companies adopting BYOD policies should update confidentiality agreements, take practical steps to safeguard confidential information and trade secrets, and take post-termination efforts to preserve (if necessary) and delete company information from departing employees.

BYOD policies may make it more challenging for an employer to prove misappropriation, because the employee was permitted to store the company’s trade secrets on the employee’s dual use device.14

Companies also need to focus on the risks of employees who join their organization and bring with them confidential or trade secret data from their prior employment. This problem is especially acute in the case of contingent workers. The new employer needs to ensure that the contingent worker’s former employer’s confidential or trade secret information does not find its way into the new company’s systems through the worker’s dual use device or other storage media.

New attention also needs to be paid to contracts with agencies providing contingent workers. Many of these contracts are form agreements that may ignore these issues.

Risk of Wage and Hour Claims

Allowing non-exempt employees to use their own mobile devices to conduct work-related business involves the risk that those employees will raise wage and hour claims for “off-the-clock” work. Even if a non-exempt employee uses his or her personal device voluntarily and without directive from the employer, the employee may need to be compensated for the time spent making work-related calls or reading and writing emails.

Employers should have a policy in place requiring employees to record all time worked, including time worked out of the office and outside regular office hours.15 This policy can be expanded and clarified to expressly require employees to record time spent responding to emails and answering phone calls while out of the office.

An employer may also institute a policy requiring prior written authorization to work remotely via mobile device. The policy could also address the timing for responding to after-hours emails and instruct employees that, unless they are directed to provide an immediate response, all emails should be responded to only during work hours.

Managers should be trained to comply with the policy and recognize when they are putting non-exempt employees in jeopardy of working outside of working hours (e.g., sending an email to a non-exempt employee after hours).

Leave-of-absence policies should remind employees that they are not to be performing work during a leave of absence, and emphasize that this prohibition includes avoiding and not responding to all calls and emails received during this period, including any on their personal device. The most complete solution is to deactivate the employee’s connection to the company’s data and systems or reconfigure the system so calls and emails are redirected to another employee.

Conclusion

BYOD policies may be on their way to being the new normal, but they carry with them significant risks. To take advantage of the promise offered by these policies, while avoiding potential liability on many fronts, companies need to educate themselves and their employees and establish appropriate policies and practices concerning the use of, and employers’ and employees’ respective rights and responsibilities concerning, dual use devices.16

Philip M. Berkowitz is a partner and U.S. co-chair of Littler Mendelson’s international law practice; he is based in the New York office.

Endnotes:

1. See, e.g., Cal. Civ. Code §§1798.80 et seq.

2. See, e.g., Mass. Regs. Code tit. 201, §17.04(5).

3. See 45 C.F.R. pt. 164.312(a)(2),(e)(2).

4. 16 CFR Part 682.

5. Zubulake v. UBS Warburg, 229 F.R.D. 422, 439 (S.D.N.Y. 2004).

6. See e.g., Triple-I v. Hudson Assoc. Consulting, 2009 U.S. Dist. LEXIS 37447, *10, n. 8 (D. Kan. May 1, 2009) (noting that both parties should confer to resolve production problems that could be as simple as a bad disk or the difference in the parties’ respective computer formats (Mac vs. PC)).

7. See, e.g., Columbia Pictures Indus. v. Fung, 2007 U.S. Dist. LEXIS 97676, * 3 (C.D.Cal. 2007) (holding defendants must preserve data within their possession, custody or control).

8. See, e.g., In re NTL Securities Litigation, 2007 U.S. Dist. LEXIS 6198 (S.D.N.Y. 2007).

9. 2011 U.S. Dist. LEXIS 121511 (D. Minn. Oct. 19, 2011).

10. 242 F.R.D. 353, 354-355 (E.D.Va. 2006).

11. Nat’l Ass’n of Radiation Survivors v. Turnage, 115 F.R.D. 543, 557 (N.D. Cal. 1987) (imputed knowledge prevents “an agency, corporate officer, or legal department [from shielding] itself from discovery obligations by keeping its employees ignorant”); cf. New Times v. Arpaio, 217 Ariz. 533, 541, 177 P.3d 275, 283 (App. 2008).

12. E.I. Du Pont de Nemours & Co. v. Kolon Indus., 803 F.Supp.2d 469, 499 (E.D. Va. 2011); Victor Stanley v. Creative Pipe, 269 F.R.D. 497, 516 n.23 (D.Md. 2010).

13. 251 F.R.D. 191 (D.S.C. 2008).

14. Cf. USI Ins. Servs. v. Miner, 801 F.Supp.2d 175, 196, n. 21 (S.D.N.Y. 2011) (evidence of misappropriation where employee uses work email address to email file to personal email account).

15. Employers must keep accurate records of all time worked by non-exempt employees. See 29 C.F.R. §516.2.

16. For a more comprehensive review of the issues addressed in this article, see Littler Mendelson’s Report on the “Bring Your Own Device” to Work Movement, http://www.littler.com/publication-press/publication/bring-your-own-device-work-movement.